[ale] Em

[Joe Knapka]

Does this happen consistently, every so often, just
once, or what? Might be a good idea to just physically
take the machine off the network, boot it, and see if
you get the same oops. If you don't, then send it a
SYN flood from itself. If you get the oops, then
chances are the problem is in the syncookie code (and
someone is really attacking your site). A quick Google
search turned up a number of sources of SYN flood
programs, which of course you should look at carefully
before using.

-- Joe Knapka

Joe Steele wrote:
> 
> I doubt there are any IP addresses in the hex data that was dumped to the
> log.  On the other hand, the SYN flood warnings in your log do give you
> source IP addresses.  Those will be the only source info that's available.
>  Unfortunately, if you were in fact subjected to a SYN attack, then the
> attacker would likely have used a phony source address anyway, making it
> difficult if not impossible to trace back.
> 
> I don't have much to suggest as far as a solution.  It's conceivable that
> it's not even an actual attack, but is caused by something else.  As I
> think I said before, SYN flooding may interfere with network traffic, but
> it shouldn't cause an oops message.  Possibly a tcpdump on the network
> interface would show something that confirms an attack.
> 
> You might try running your logs past the linux-net at vger.rutgers.edu mailing
> list.  (the list can be joined by sending e-mail to
> majordomo at vger.rutgers.edu with 'subscribe linux-net' in the body.)
> 
> --Joe
> 
> -----Original Message-----
> From:   jj at spiderentertainment.com [SMTP:jj at spiderentertainment.com]
> Sent:   Friday, October 08, 1999 5:25 PM
> To:     ale at ale.org
> Subject:        Re: [ale] Em
> 
> In these HEX numbers, is there an IP address I can extract ?

-- Joe Knapka
* I speak only for myself, not for The Software Monastery,
* which exists solely to provide an organization for which
* I can claim not to speak.
* http://whyme.penguinpowered.com/monastery.html